Risk acceptability alignment between ISO 14971 and IEC 62304

PaulG

Starting to get Involved
#1
I'm working on a risk management process for medical device software development and have a question re risk acceptability. In clause 4.3 of IEC 62304:2006 AMD1:2015, software is classified as B or C if it results in "unacceptable risk." It doesn't state that the unacceptable risk must be mitigated as long as the category B or C is used in the development process. However, under ISO 14971, if we analyze the same software risks as in our safety classification, using the same criteria for risk acceptability, then any unacceptable risk must be mitigated through risk controls or redesign. So, how in practice could any software be left at a B or C safety class if the "unacceptable" risk must be mitigated under ISO 14971 requirements? It seems like a bit of a conundrum.
 
Elsmar Forum Sponsor

blah01

Involved In Discussions
#2
Depends on the effect of the risk controls you implement. When talking about risks (i.e. harm to the user) you need to identify the probability of the harm occurring and the severity of the harm. If you are able to reduce the severity of the harm through risk controls then yes you could potentially change the safety class of that risk factor, but not all risk controls result in reducing the severity of the risk. Note that IEC 62304 4.3.a does state "which results in unacceptable RISK after consideration of RISK CONTROL measures". Therefore it's the residual risk (per ISO 14971) that then determines the safety class of the identified risk.

That's my interpretation anyhow and how I've implemented it.
 

PaulG

Starting to get Involved
#3
Thanks Marc, I appreciate these insights. What is your usual approach to the sequence of safety classification vs software risk analysis activities? My interpretation would be to perform the software safety classification before ISO 14971 software risk analysis, because safety class (per clause 7 of IEC 62304) determines the level of risk management activities required. For example, safety class A software does not require any of the risk management activities.
 

Tidge

Trusted Information Resource
#5
What is your usual approach to the sequence of safety classification vs software risk analysis activities? My interpretation would be to perform the software safety classification before ISO 14971 software risk analysis, because safety class (per clause 7 of IEC 62304) determines the level of risk management activities required.
My development projects that include software with ME devices start with a Hazard Analysis to see if the software can either contribute to unacceptable risks or will be allocate some element of controlling unacceptable risks. This is done before trying to evaluate the effectiveness of any non-software risk controls. So we don't do this before starting our 14971 process, but rather as part of the process.

Sidebar: The 'sub-process' step in the diagram of 4.3 is IMO deceptive, because it implies that a rather complete evaluation of all non-software risk control measures is to be done before entering the medical software development process. Except for the circumstance where the initial design has a clear allocation and segregation of risks arising (between hardware and software) from the device (the first decision diamond in 4.3) , this isn't practical: modern ME devices with software generally have parallel development between hardware and software elements. A further complication is that the FDA guidance requires determination of the "Level of Concern" prior to the implementation of risk controls; it would be disadvantageous to have to generate a different set of deliverables for an FDA submission and European registration.

With a preliminary Hazard Analysis (an early step in our 14971 process), the determination of classification is possible.

For example, safety class A software does not require any of the risk management activities.
I don't think it is precisely correct to say this. It is true that there are fewer required development deliverables for class A, but unless there literally is no "P1" for a software failure the only way you could claim that Class A software doesn't result in unacceptable risk would be to do the RM activities to support this conclusion.
 

PaulG

Starting to get Involved
#6
Great. Thanks again for the input. These are fairly abstract concepts so it's really valuable to hear examples of how they are applied in practice.
 

blah01

Involved In Discussions
#7
So we don't do this before starting our 14971 process, but rather as part of the process.
Agreed. For me doing risk assessment per ISO 14971 comes first keeping in mind that during the development phase of a product that the evaluation of effectiveness of risk controls can be an iterative process. In regards to the diagram in 4.3 of 62304 I simply see this as a high-level summary of 14971 actually with the resulting output being the classification of software system(s) in your product.

I don't think it is precisely correct to say this. It is true that there are fewer required development deliverables for class A, but unless there literally is no "P1" for a software failure the only way you could claim that Class A software doesn't result in unacceptable risk would be to do the RM activities to support this conclusion.
Agreed once again. One thing to note is that 14971 4.1 requires that results of the risk analysis be recorded in the risk management file; should that analysis conclude that no foreseeable hazards exist, that in itself needs to be recorded, and in effect, is part of RM activities.

Hope this helps.
 
Thread starter Similar threads Forum Replies Date
D Rationale for Risk Acceptability Matrix - ISO 14971 ISO 14971 - Medical Device Risk Management 9
I Is risk acceptability really needed if all risks must be reduced as far as possible? ISO 14971 - Medical Device Risk Management 6
A Risk Acceptability Criteria - Probability and Acceptability Level ISO 14971 - Medical Device Risk Management 1
K What is the policy for Risk Acceptability per ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 2
Sam Lazzara ISO 14971 Clause 7 - Evaluation of Overall Residual Risk Acceptability ISO 14971 - Medical Device Risk Management 3
M How to create the Policy for determining criteria for Risk Acceptability ISO 14971 - Medical Device Risk Management 11
B Residual Risk Acceptability - Where do I get this Data/Figures from? CE Marking (Conformité Européene) / CB Scheme 9
A How to Rate a Risk Acceptability and on What Basis is it Measured? ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 7
A Correlating Hazard Analysis and DFMEA Risk Acceptability Criteria FMEA and Control Plans 8
T Defining Criteria for Risk Acceptability - ISO 14971 Clause 3.2 ISO 14971 - Medical Device Risk Management 4
J HELP NEEDED ! Risk Management Exercise ISO 14971 - Medical Device Risk Management 12
O Should a Covid vaccine and testing policy be included as part of ISO9001 or AS9100 risk management? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
M Does 4.5 - Alternative RISK CONTROL apply to the Particular Standards? IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
Q Measurement Equipment Revocation - Looking for a Disposal Form with Risk Assessment IATF 16949 - Automotive Quality Systems Standard 10
B ISO13485 Risk managment implementation for suppliers ISO 14971 - Medical Device Risk Management 2
Moncia Chemical risk assessment / COSHH Manufacturing and Related Processes 5
E Supply chain main policies ,scope, risk assessments & relavant KPI Supply Chain Security Management Systems 2
D Use Error Risk Controls and Control Verification ISO 14971 - Medical Device Risk Management 6
J Risk Assessment of Lithium Ion Batteries FMEA and Control Plans 3
Melissa Risk Management Process, How far do I need to go? ISO 14971 - Medical Device Risk Management 10
D Does Risk Management apply to re-labeler (MDR) EU Medical Device Regulations 1
H Risk Management Plan in agile process ISO 14971 - Medical Device Risk Management 14
H Risk Analysis and Probability of Occurrence ISO 14971 - Medical Device Risk Management 3
B Risk analysis for defective measuring or measuring equipment out of calibration General Measurement Device and Calibration Topics 2
P Benefit risk analysis on pFMEA ISO 14971 - Medical Device Risk Management 9
B AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
K Defining risk control measures IEC 62304 - Medical Device Software Life Cycle Processes 14
U Supply risk management Manufacturing and Related Processes 4
T Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 9
D Cybersecurity and Risk Management: Loss of confidentiality IEC 62304 - Medical Device Software Life Cycle Processes 5
Q FMEA and Risk assessment in Microsoft Access FMEA and Control Plans 6
I Realization processes input into overall risk ISO 14971 - Medical Device Risk Management 2
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
thisby_ Post Market/Production Risk Assessment ISO 14971 - Medical Device Risk Management 0
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 11
C Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
qualprod Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
G Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
C Risk Matrix vs FMEAs ISO 14971 - Medical Device Risk Management 12
S IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
M ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 11
M ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 5
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
S Traceability of requirements to design and risk Design and Development of Products and Processes 3
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5

Similar threads

Top Bottom